Showing posts with label RISK MANAGEMENT. Show all posts
Showing posts with label RISK MANAGEMENT. Show all posts

OUTSOURCING RISK


OUTSOURCING RISK

While we covered aspects of Outsourcing risk in the above sections, there are several specific aspects that need to be looked into:

Hiring of an outsourced vendor/service provider has to cover the following aspects:
  •  Clearly defined objective of outsourcing; this has to be brought into the scope of work; 
  •  Contractual documentation to be adequate to ensure the service provider does only what is assigned and to the standard mutually agreed to by all parties involved; 
  •  Legal indemnities to the organisation to be assessed while hiring a service provider; 
  •  In agreements where the client and the service provider are in different states or in different countries, the respective countries’ or states’ laws have to be complied with; 
  •  The BCP of the service provider has to be reviewed.
  •  The operational risk assessment covering regulatory risks, financial risk, financial reporting risk and other risks as delivery to end customers of the client in case the service provider fails to deliver for whatever reason. 
  •  If technology or its disaster recovery itself is outsourced, all the attention is required to ensure the business operations work as designed and agreed. 
It is advisable for an operational risk manager to have an oversight of different department’s adherence to the management of their respective outsourcing risks, and have it covered in their respective RCMs.

By at No comments:
Labels:

MIGRATION RISK


MIGRATION RISK

 Migration risk is a subset of change management ITGC to the extent that the controls over an end-to-end migration from one system to another, can bring upon significant operational risk if not carried out perfectly. A significantly high effort is required to ideate before the deployment as to the exact manner of migration; migration has to cover:
  •  Data, both dynamic and static 
  •  Functionality mapping from old to new system, and any changes to be adequately familiarised within user groups 
  •  Exception reports that could help track any incorrect migration points 
  •  User acceptance test scripts to be intelligent enough to enable the usage of the new system after adequate granular review 
  •  An emergency roll back plan in case some significant unpredictable issue comes up in migration deployment. 
  •  An auditor or operational risk manager is required to carry out a review of the data integrity and the functionality of the systems that have an impact on the financials of the organisation. This risk is not only restricted to financial reporting, but any risk that could jeopardise the business process, including regulatory, financial and other risks.
By at No comments:
Labels:

RESIDUAL RISK AND RATING/GRADING


 Residual risk and Rating/Grading

Identified inherent risks in processes, are expected to be mitigated by using suitably designed controls. In any organisation that has a view on managing operational risks, all or most of the identified risks in a process would be controlled through a process that reduces, or eliminates the risk of a failure taking place in that process.

Residual risk is thus the remaining risk in a process assuming the control designed is operating properly. Thus, all companies strive to have a low level of residual risk.

Higher the control effectiveness, the lower the residual risk. Lower the control effectiveness, the residual risk would be same or similar to level of inherent risk. We shall study more about the concept of controls in the subsequent section.

By at No comments:
Labels:

DEFINITION OF RCM AND RCSA


 Definition of RCM and RCSA

The acronym RCM stands for Risk and Control Matrix. To understand the Risk and Control concepts we need to understand the various terms that are commonly used in assessing them, as is elucidated in this section.

The acronym RCSA stands for Risk & Control Self-Assessment; when a test step is tagged to each of the controls and the management function performs that test, the exercise is known as a Risk and Control Self-Assessment.

This is the basic platform on which an ORM framework is built. It has these critical constituents: Risk, Control, Risk grading, Control Owner.

By at No comments:
Labels:

STANDARD OPERATING PROCEDURES


 Process notes / Standard Operating Procedures (SOP)

Process notes are detailed instructions that address the specific responsibilities given in the policy documents; process notes detail the roles and responsibilities of each department / responsible person in executing a process/ transaction; it is expected that process notes have fair granularity, on how exactly a process is executed, including the controls to be exercised. In an advanced operational risk management environment, the process notes tend to be very articulate and define the processes granularly and leave no scope for ambiguity or misinterpretation by those responsible for execution.

Taking the same example as in policies, in a lending institution, a credit process note would detail the exact steps that an organisation is to follow, in lending money to a customer and all the checks and controls expected to be done in the process. A manufacturing process manual may describe in detail aspects like the factory specifications, technology used in the process or the sub-process, the assembly line, the specific departmental, and individual roles and technical tasks, output, productivity and the quality expected.

By at No comments:
Labels:

OPERATIONAL RISK MANAGEMENT COMMITTEE


 Operational Risk Management Committee (ORMC)
  • The ORMC must conduct its business basis a Charter / Terms of Reference and the proceedings and discussions are advised to be documented for future reference and follow-up on agreed actionables. The regular updates to the Board (or the Risk Management Committee of the Board if the task is assigned to it by the Board) have to be provided by the management, covering key highlights of all the constituents. 
  • The Operational Risk framework is effective only if imbibed at all relevant linkages who are managing the monitoring process at the departmental level. 
  • Hence it is advised that the Committee instruct and/or arrange regular trainings and awareness camps for the departmental staff, including giving them sufficient understanding of process of identifying new risks and adding them to the RCSA library from time to time, a process duly assisted and facilitated by the Operational Risk unit.
By at No comments:
Labels:

OPERATIONAL RISK MANAGEMENT POLICY


 Operational Risk Management Policy

The following areas are advised to be addressed in the Policy; the list is indicative and not comprehensive; the organisation depending on the priorities and readiness level can evolve new areas to be covered.
  •  Role of the Board and the Risk Management Committee of the Board in driving the implementation of the framework; 
  •  Setting up an Operational Risk Management Committee comprising of senior management with an outline of the membership, quorum and frequency of meetings; 
         - The review of the Risk and Control Self Assessment (RCSA) results, Operational risk events,               Loss reports, and breaches of Key Risk Indicators;

         -  Risk assessment of new products and services;

         - Risk assessment of existing and new Technology platforms;

         - Review of Cyber risk (Information security);

        - Review of Business Continuity and Disaster Recovery framework;

         - Review of any regulatory development or external events that may impact the operational risk             profile of the organisation;
  •  Management functions may highlight identified process gaps and potential issues discovered by way of routine business or reviews, and include the action being taken on them. The self-awareness of the management functions on highlighting such issues is an evolving process.
  •  The broad methodology of setting up the Risk & Control Self-Assessment library, the roles and responsibilities of those engaged in performing the control testing, the collation of results and review process need to be outlined in the Policy. 
  •  The constituents of the framework, like RCSAs, KRIs, Loss-Data to be described in detail followed by a brief on roles designated to perform the necessary activities. Each of the policy stipulations is to be ideally backed up with corresponding process notes to detail the granular steps in implementation. 
  •  Operating linkages with the other units such as those manage the policy and process documentation of the organisation, product development, internal audit, regulatory compliance unit, information security officer, business continuity plan etc. need to be outlined since operational risk impacts all these areas. 
  •  Capital computation methodology if applicable, needs to be described in the Policy.

By at No comments:
Labels:

OPERATIONAL RISK MANAGEMENT GOVERNANCE


OPERATIONAL RISK MANAGEMENT GOVERNANCE
  • As outlined in section 1, as part of the overall responsibilities of the Board of Directors, an oversight on the operational risk profile of the organisation is also included. The nature and intensity of Board oversight may differ from organisation to organisation, depending on its constitution, any specific requirements from a regulatory angle, the industry and the nature of business etc. 
  • For banks it is mandatory to have an Operational Risk policy approved by the Board, and the RBI guidelines have clearly described roles and responsibilities of the ORM Committee, the Chief Risk Officer and other roles that are expected to engage in the implementation of the framework.
  •  For other industries where a Board approved policy may not be mandatory as per regulatory environment, it is still strongly advisable to have a comprehensive policy documenting the governance mechanism of operational risk.
By at No comments:
Labels:

WHY DOES OPERATIONAL RISK ORIGINATE?


Why does operational risk originate ?
(a) Inadequately defined products and services which may not be compliant to industry regulations, and/or may be exposed to risk of misspelling;

(b) Inadequately defined policies and processes which would directly adversely impact quality of controls like checks and balances, segregation of duties as may be required;

(c) Inadequate technology functionality, or infrastructure that exists in any technology supported environment, which organisations use in respective business operations;

(d) Internal or external crime that takes advantage of gaps in processes for unlawful gain, i.e. fraud;

(e) External events like terrorist attacks or natural disasters that disrupt business or cause financial losses;

(f) Change in the environment of the industry sector (including significant regulatory changes) that impacts the operational risk profile of an organisation.

Thus, Operational Risk Management (ORM) is primarily an exercise in mitigating potential losses, i.e. possible losses, through a well-laid out mechanism of identifying the inherent risks in a business process and reviewing / testing the efficacy of the controls related to each risk.

Additionally, an important part of ORM is also to identify and report operational risk events, including their financial impact (losses and recoveries) if any. Thus, an adequate governance framework is expected to cover both the preventive and the lag aspects of operational risks. 

By at No comments:
Labels:

WHAT IS OPERATIONAL RISK?


What is Operational Risk?
The most commonly used and accepted definition of operational Risk is from Basel II which states that Operational Risk is the risk of loss resulting from inadequate or failed processes, people and systems and from external events. 

This definition includes legal risk, but excludes strategic risk and reputational risk.

Basel II is the common name used to refer to the “International Convergence of Capital Measurement and Capital Standards: A Revised Framework,” which was published by the Bank for International Settlements in Europe in 2004, and the framework is broadly adopted, with country level customisation as required by the countries that have been party to the accord. While this was specific only for the regulated financial institutions industry, the overall concept of operational risk remains the same irrespective of the industry.

Each and every industry, whether manufacturing, trading or in service sector, is subject to a degree of operational risk though the level of risks may differ between industry sectors, companies, the nature of products and services offered, and the actual management control over these risks.

Operational risk is an overarching concept interrelated with several other types of risks, and cannot be viewed in isolation. The most important risks linked to operational risk are risk of non- compliance to applicable laws and regulations, risk of fraud losses due to an internal or external event that takes advantage of gaps in the processes to make an unlawful gain, risk of financial losses, risk of incorrect financial reporting, and in several organisations, reputational risk is also part of the areas touched by operational risk.



By at No comments:
Labels:

PROCESS OF ENTERPRISE RISK MANAGEMENT AND INTERNAL AUDIT


PROCESS OF ENTERPRISE RISK MANAGEMENT AND INTERNAL AUDIT

Enterprise Risk Management is a structured, consistent and continuous process of measuring or assessing risk and developing strategies to manage risk within the risk appetite. It involves identification, assessment, mitigation, planning and implementation of risk and developing an appropriate risk response policy. Management is responsible for establishing and operating the risk management framework. The Enterprise Risk Management process consists of Risk identification, prioritization and reporting, Risk mitigation, Risk monitoring and assurance. Internal audit is a key part of the lifecycle of risk management. The corporate risk function establishes the policies and procedures, and the assurance phase is accomplished by internal audit.

By at No comments:
Labels:

RISK MATURITY LEVELS


Risk Maturity Levels
The following aspects in the organisation indicate its risk maturity. Internal auditors should refer to the same for concluding on the organisation's risk maturity:-
  •  Business objectives are defined and communicated. 
  •  Risk appetite is defined and communicated across the organisation. 
  •  Control environment is strong including the tone from the top. 
  •  Adequate processes exist for the assessment, management and communication of risks.
By at No comments:
Labels:

RISK MATURITY OF AN ORGANISATION


RISK MATURITY OF AN ORGANIZATION
  • Some organizations especially those in a fast growth mode have an organizational culture which promotes operational managers to remain at the risk naïve/ risk aware level. This means that the line managers are not expected to identify risks and if they do, it is confined to their personal knowledge or within their functional team. 
  • The internal control environment may be well defined but again it is to be operated by the staff management (such as the accounts manager), the logic being that line managers need to spend maximum time in operations and not be defocused by unnecessary paper work or issues other than their operations.
  •  In this mindset, coordinating activities and problem solving is considered as operations while risk assessment and management is considered a staff function. This model works well in a supply side market wherein the organization sells whatever it produces but flounders in a competitive and dynamic market wherein new risks arise periodically and the staff management who are not market facing are not fast enough to incorporate new controls to address these risks. 
  • A risk naïve/risk aware organization in today's dynamic environment exhibits inefficiencies as a continuous long list of pending issues at all times with the line manager or even mundane issues as goods received but unreconciled with Purchase Orders, delayed supplier payments resulting in line managers chasing accounts department for release of payment, etc., wherein the root cause is usually a risk which has not been addressed.
  •  In a risk aware organization, the silo approach culture wherein the manager tracks and addresses new risks related to his department only rather than in the business process usually throws up big losses arising out of customer dissatisfaction or failure of an enterprise wide activity such as implementing ERP. 
  • The audit strategy depends upon the organization's risk-maturity. Organizations at low risk maturity levels may require internal auditors to consult by promoting and advising on identification of and response to risks.
  •  For organisations with high risk maturity, the internal auditor would need to concentrate more on carrying out process audits of the risk management processes and especially reviewing the risk assessment process wherein the inherent risk (untreated) are identified, estimated (scored) and evaluated (compared with risk appetite).
By at No comments:
Labels:

TECHNIQUES OF ENTERPRISE RISK MANAGEMENT (KEY 5)



TECHNIQUES OF ENTERPRISE RISK MANAGEMENT
Key 5: Build on Existing Risk Management Activities

Existing functions such as internal audit, compliance, ethics and other support function could be leveraged to build on the ERM blocks and activities.

By at No comments:
Labels:

TECHNIQUES OF ENTERPRISE RISK MANAGEMENT (KEY 4)



TECHNIQUES OF ENTERPRISE RISK MANAGEMENT

Key 4: Leverage Existing Resources

Organizations often discover that they can rely on their existing staffs, with the knowledge and capabilities relating to risks and risk management that can be effectively used to start the ERM process. For example, some organizations have used their Chief Audit Executive or their Chief Financial Officer as the catalyst to begin an ERM initiative. In other instances, organizations have appointed a management committee, sometimes headed by their Chief Finance Officer (CFO), to bring together a wide array of personnel from across the entity that collectively have sufficient knowledge of the organization’s core business model and related risks and risk management practices to get ERM moving.

In addition, most organizations start their ERM effort without any specific enabling technology or automated tools other than basic spreadsheets and word-processing capabilities.



By at No comments:
Labels:

TECHNIQUES OF ENTERPRISE RISK MANAGEMENT (KEY 3)


TECHNIQUES OF ENTERPRISE RISK MANAGEMENT

Key 3: Focus on a simple Risk model with Small Number of Top Risks

The ERM team should identify small number of critical and strategic risks that can be managed, and then evolve from this start.

Focusing initially on a smaller, manageable number of key risks would also be beneficial in developing related processes such as monitoring and reporting for those specific risks. This focused approach also keeps the developing ERM processes simple and lends itself to subsequent incremental steps to expand the risk universe and ERM processes.


By at No comments:
Labels:

TECHNIQUES OF ENTERPRISE RISK MANAGEMENT (KEY 2)



TECHNIQUES OF ENTERPRISE RISK MANAGEMENT

Key 2: Building ERM using small but solid steps

Organisation can start with a simple process and build from there using incremental steps rather than trying to make a quantum leap to fully implement a complete ERM process.

By doing so, they are able to:
  • Identify and implement key practices to achieve immediate, tangible results. 
  •  Provide an opportunity to change and further tailor ERM processes.
By at No comments:
Labels:

TECHNIQUES OF ENTERPRISE RISK MANAGEMENT


TECHNIQUES OF ENTERPRISE RISK MANAGEMENT
Winning support and sponsorship from the Top management is a pre-cursor

The Board of directors should sponsor the ERM function and activities by providing the right focus, resources and attention for ERM. ERM must be truly enterprise wide, and understood and embraced by all personnel, and driven from the top through clear and consistent communication and messaging from the company’s board to senior management and to the organization as a whole.

The Board needs to put in place an effective ERM leader who is widely respected across the organization and who has accepted responsibility for overall ERM leadership, resources and support to accomplish the effort.
By at No comments:
Labels:

IMPLEMENTATION ERM


IMPLEMENTING ERM

COSO framework states that Enterprise Risk Management (ERM) is defined as a process, affected by an entity's board of directors, management, and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ERM includes the following activities: 
  •  Determining the risk appetite. 
  •  Establishing an appropriate internal environment, including a risk management policy and framework. 
  •  Identifying potential threats to the achievement of its objectives and assessing the risk, i.e., the impact and likelihood of the threat occurring. 
  •  Undertaking control and other response activities. 
  • Communicating information on risks in a consistent manner at all levels in the organization. 
  •  Centrally monitoring and coordinating the risk management processes and the outcomes, and 
  •  Providing assurance on the effectiveness with which risks are managed. 
The term 'risk appetite' used in the above definition refers to the extent of risk that the Board is willing to take to pursue the objectives. Risk appetite setting is done at different levels, viz. for the organization at the entity level, process level, and different risk groups and for individual key risks. Risk appetite provides a standard against which a risk can be compared and where the risk is above the risk appetite, it is considered a threat to the reasonable assurance that the objective will be achieved.

While risk appetite is to be set lower than the risk capacity; however, with an aggressive Board, the risk appetite can be higher than the risk capacity. For example, the Board may decide on utilizing the cash flow for operational purposes in the short term for earmarked funds meant for payment of quarterly installment of taxes. This could result in default of payment on due date and hence becomes a significant risk which needs to be covered by the internal auditor and reported upon even though the risk may be within the risk appetite. However, in the normal course, internal auditors are expected to take the risk appetite as a given and evaluating the risk appetite is out of audit scope. Internal auditors can, however, do a consulting activity of assisting the Board in fixing the risk appetite and its documentation.

ERM is a new approach in the ways organizations are assessing, managing and communicating business risks. By assisting organizations climb up on the risk maturity scale, ERM makes a major contribution towards helping an organization manage risks to achieve its objectives. ERM helps an organization become a risk managed business.

An ERM policy is first put in place which defines the guiding principles showing responsibility of line management for ERM and the broad activities covered by the risk management processes. A risk management framework to implement the ERM policy is then finalized showing the activities which need to be carried out and how they are to be carried out under three processes, viz.
  •  Risk assessment. 
  •  Risk management. 
  •  Risk communication. 
Implementation is facilitated by a risk manager or the internal auditor as a consulting assignment. Subsequently risk based internal audit is carried out.

By at No comments:
Labels:

DEFINITION AND SCOPE OF ENTERPRISE RISK MANAGEMENT


DEFINITION AND SCOPE OF ENTERPRISE RISK MANAGEMENT
  • Fast-changing business scenario, uncertainty arising from global events, disruptive competition, and protectionist agenda of cultural majorities and volatility of commodity and currency prices creates stress and complexity in managing businesses. 
  • Gradually, these events start playing on the minds of stakeholders. The occurrence of risk events coupled with their poor handling impacts organisational performance. Enterprise Risk Management (ERM)/ Business Risk Management (BRM) in a structured form assists organisations in preparing for the worst-case scenario, while aspiring to be “better, faster and cheaper”. 
  • ERM is arguably the only effective tool in contemporary times that assists in the evaluation and bridging of the gap between uncertainty and performance in organisations; also a simplified approach to problem solving and making the organisation nimble footed. Iconic entities that feature in the top global rankings consistently practice integrated risk management.
  • Enterprise risk management (ERM) is a leading best practice approach to effectively manage and optimize business events that have the potential to impact business objectives or risks, enabling a company to determine how much uncertainty and risk are acceptable to an organization.

By at No comments:
Labels:
Subscribe to: Posts (Atom)